The CJEU has confirmed that a "conflict of interest" exists when a Data Protection Officer ("DPO") is also assigned other tasks or duties which require them to make decisions about the objectives and methods of personal data processing on behalf of their employer. A common example of this is where the appointed DPO also performs another role such as COO or CTO – which is regularly the case for Irish and multinational businesses.
Background
In Case C-453/21, X-FAB Dresden GmbH & CO. KG v FC ("X-FAB Dresden"), FC, an employee of X-FAB Dresden GmbH, was chair of its works council, and vice-chair of the central works council for the group to which it belonged. In June 2015, the company, its parent and the other group subsidiaries ("the undertakings") all separately appointed FC as their DPO.
On the competent supervisory authority's request, the undertakings dismissed FC from his DPO duties, due to a conflict of interests in his roles. This was due to the fact that, as DPO, FC was required to directly report to the highest management level of the controller or processor, i.e. the works council(s) of which FC was chair and vice-chair.
In the action brought by FC before the German courts, FC sought a declaration that he retain the position of DPO of X-FAB. X-FAB submitted that there was a risk of a conflict of interests if FC simultaneously performed the functions of DPO and chair of the works council, on the ground that those two posts are incompatible. X-FAB argued that there was, therefore, a just cause justifying FC’s dismissal as DPO.
The courts of first instance and of appeal upheld FC’s action. The appeal on a point of law brought by X-FAB before the Federal Labour Court, Germany, which is the referring court, sought to have that action dismissed.
The referring court observed that the outcome of the appeal depended on the interpretation of EU law. In particular, the question arose as to whether the second sentence of Article 38(3) of the GDPR and the prohibition on the dismissal of DPOs for performing their tasks, precludes Germany from imposing stricter conditions for dismissing a DPO than those laid down by EU law. The referring court also asked whether the function of chair of the works council and of DPO of that undertaking may be performed by one and the same person or whether that would give rise to a conflict of interests within the meaning of the second sentence of Article 38(6) of the GDPR.
CJEU decision
The CJEU found that Member States are permitted to introduce additional protections against the dismissal of DPOs, but any such protections cannot undermine the achievement of the objectives of the GDPR. This may arise if a DPO cannot be dismissed when they no longer possess the professional qualities required to perform their tasks, as required by Article 37(5) GDPR (as previously noted by the CJEU in Leistritz, Case C-534/20).
In addition, the CJEU found that any increased protection for the DPO which would prevent their dismissal in the event that they are no longer in a position to act in an independent manner, due to a conflict of interests, would undermine the objectives of the GDPR.
The CJEU held that it is inconsistent with the required independence of the DPO role for the same individual to be advising the business on its data protection compliance, while also making decisions about how to carry out processing activities. A core part of the DPO role is to review the objectives and methods of processing independently, and this is not possible where the DPO is also the person making the final decision. The existence of a conflict of interests must be assessed on a case-by-case basis, taking into account all relevant circumstances, including the organisational structure of the controller or its processor, and any other applicable rules, including any relevant policies of the controller or its processor.
The findings in X-FAB Dresden provide a timely reminder for DPOs of their statutory obligation to avoid holding any other role that would result in a conflict of interests, as this month the EDPB launches its coordinated enforcement action for 2023 on the designation and position of DPOs ("CEA 2023"). The CEA 2023 will assess if organisations have met their applicable DPO requirements under Articles 37-39 GDPR, and whether DPOs have the necessary resources to carry out their tasks. National supervisory authorities, will implement the CEA 2023 through questionnaires to DPOs and formal investigations into certain identified organisations. [1]
The CJEU's decision follows earlier Article 29 Working Party Guidance that a DPO "cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data" [2].
National Supervisory Authority Positions
X-FAB Dresden follows a series of national decisions which reach similar conclusions. The following roles were considered to present a "conflict of interest" when assigned to a DPO:
- Head of Compliance, Risk Management and Internal Audit [3];
- Head of Operational Risk Management, Information Risk Management, and Special Investigations Unit in a bank [4];
- MLRO / Head of Compliance [5];
- Defence counsel for the controller or processor in litigation [6];
- Deputy General Counsel for the controller [7]; and
- Managing Director of other subsidiaries within a group. [8]
I'm a DPO – can I be personally liable for having tasks which result in a conflict of interest?
The onus is on controllers and processors to ensure the DPO avoids holding conflicting positions. [9] Article 38(6) GDPR does not hold the DPO personally liable. However, the CJEU is due to decide on whether GDPR proceedings for an administrative fine in Germany may be brought directly against a natural person later this year. [10]
Avoiding conflicts of interest – Key takeaways for organisations
- Involve your DPO in matters involving the processing, but ensure they are not designated any decision-making authority.
- If a significant personal data-related decision arises in the context of the DPO's other role, they should delegate someone of appropriate seniority to make the decision on their behalf (and document that they have done so).
- In the event of a personal data breach, the DPO should attend meetings on the incident and provide a view or opinion, but should not be the party who determines the risk of the breach and / or if the controller should notify the relevant supervisory authority.
- When appointing a DPO, map potential appointees' pre-existing responsibilities to identify if any involve making a decision on personal data processing and if they can be mitigated or transferred. A review of your organisation's Record of Processing Activities should assist here.
- Ensure DPO contracts or appointment letters contain sufficient detail regarding any tasks or responsibilities that would constitute a "conflicting" position. A declaration of no conflict by an incoming DPO may also be appropriate.
- Document any mitigating measures for potentially conflicting positions in the relevant data protection policies.
Contact Us
If you would like to discuss this article, or any other related data protection and data privacy matters concerning your business, please do not hesitate to contact any other member of the Technology and Innovation Group.
This article discusses DPOs and conflicts of interest. For advice on DPOs more generally, please see previous Matheson publications.
With thanks to Anna Nichols for her contribution to this article.